2 * rlm_attr_filter.c - Filter A/V Pairs received back from proxy reqs
3 * before sending reply to the NAS/Server that sent
8 * This program is is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License, version 2 if the
10 * License as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
21 * Copyright (C) 2001 The FreeRADIUS server project
22 * Copyright (C) 2001 Chris Parker <cparker@starnetusa.net>
26 #include "libradius.h"
44 static const char rcsid[] = "$Id$";
46 struct attr_filter_instance {
55 * Move only the first instance of an attribute from
56 * one list to another.
58 static void mypairmove(VALUE_PAIR **to, VALUE_PAIR **from, int attr)
60 VALUE_PAIR *to_tail, *i, *next;
61 VALUE_PAIR *iprev = NULL;
64 /* DEBUG2(" attr_filter: moving attr: %d", attr); */
67 * Find the last pair in the "to" list and put it in "to_tail".
71 for(i = *to; i; i = i->next)
76 for(i = *from; i && !moved; i = next) {
79 if (i->attribute != attr) {
85 * Remove the attribute from the "from" list.
93 * Add the attribute to the "to" list.
106 * See if a VALUE_PAIR list contains Fall-Through = Yes
108 * FIXME: not functional at the moment
110 static int fallthrough(VALUE_PAIR *vp)
114 tmp = pairfind(vp, PW_FALL_THROUGH);
116 return tmp ? tmp->lvalue : 0;
121 static CONF_PARSER module_config[] = {
122 { "attrsfile", PW_TYPE_STRING_PTR,
123 offsetof(struct attr_filter_instance,attrsfile), NULL, "${raddbdir}/attrs" },
124 { NULL, -1, 0, NULL, NULL }
127 static int getattrsfile(const char *filename, PAIR_LIST **pair_list)
130 PAIR_LIST *attrs = NULL;
134 rcode = pairlist_read(filename, &attrs, 1);
140 * Walk through the 'attrs' file list.
146 entry->check = entry->reply;
149 for (vp = entry->check; vp != NULL; vp = vp->next) {
152 * If it's NOT a vendor attribute,
153 * and it's NOT a wire protocol
154 * and we ignore Fall-Through,
155 * then bitch about it, giving a
156 * good warning message.
158 if (!(vp->attribute & ~0xffff) &&
159 (vp->attribute > 0xff) &&
160 (vp->attribute > 1000)) {
161 log_debug("[%s]:%d WARNING! Check item \"%s\"\n"
162 "\tfound in filter list for realm \"%s\".\n",
163 filename, entry->lineno, vp->name,
176 * (Re-)read the "attrs" file into memory.
178 static int attr_filter_instantiate(CONF_SECTION *conf, void **instance)
180 struct attr_filter_instance *inst;
183 inst = rad_malloc(sizeof *inst);
185 if (cf_section_parse(conf, inst, module_config) < 0) {
190 rcode = getattrsfile(inst->attrsfile, &inst->attrs);
192 radlog(L_ERR|L_CONS, "Errors reading %s", inst->attrsfile);
193 free(inst->attrsfile);
203 * Find the named realm in the database. Create the
204 * set of attribute-value pairs to check and reply with
205 * for this realm from the database.
207 static int attr_filter_authorize(void *instance, REQUEST *request)
209 struct attr_filter_instance *inst = instance;
210 VALUE_PAIR *request_pairs;
211 VALUE_PAIR **reply_items;
212 VALUE_PAIR *reply_item;
213 VALUE_PAIR *reply_tmp;
214 VALUE_PAIR *check_items;
215 VALUE_PAIR *check_item;
224 VALUE_PAIR *realmpair;
229 * It's not a proxy reply, so return NOOP
232 if( request->proxy == NULL ) {
233 return( RLM_MODULE_NOOP );
236 request_pairs = request->packet->vps;
237 reply_items = &request->reply->vps;
240 * Get the realm. Can't use request->config_items as
241 * that gets freed by rad_authenticate.... use the one
242 * set in the original request vps
244 realmpair = pairfind(request_pairs, PW_REALM);
246 /* Can't find a realm, so no filtering of attributes
247 * or should we use a DEFAULT entry?
248 * For now, just return NOTFOUND. (maybe NOOP?)
250 return RLM_MODULE_NOTFOUND;
253 realmname = (char *) realmpair->strvalue;
254 realm = realm_find(realmname);
257 * Find the attr_filter profile entry for the realm.
259 for(pl = inst->attrs; pl; pl = pl->next) {
262 * If the current entry is NOT a default,
263 * AND the realm does NOT match the current entry,
264 * then skip to the next entry.
266 if ( ((strcmp(pl->name, "DEFAULT") != 0) && !(usedefault))
267 && (strcmp(realmname, pl->name) != 0) ) {
271 /* THIS SECTION NEEDS LOTS OF WORK TO GET THE ATTRIBUTE
272 * FILTERING LOGIC WORKING PROPERLY. RIGHT NOW IT DOES
273 * THINGS MOSLTY RIGHT. IT HAS SOME ISSUES WHEN YOU HAVE
274 * MULTIPLE A/V PAIRS FROM THE SAME ATTRIBUTE ( IE, VSA'S ).
275 * THAT NEEDS A BIT OF WORK STILL.... -cparker@starnetusa.net
278 DEBUG2(" attr_filter: Matched entry %s at line %d", pl->name, pl->lineno);
281 usedefault = fallthrough(pl->check);
283 check_items = pl->check;
285 for( check_item = check_items; check_item != NULL ;
286 check_item = check_item->next ) {
289 * If it is a SET operator, add the attribute to
290 * the reply list without checking reply_items.
294 if( check_item->operator == T_OP_SET ) {
295 tmp = paircreate(check_item->attribute, check_item->type);
297 radlog(L_ERR|L_CONS, "no memory");
301 case PW_TYPE_INTEGER:
304 tmp->lvalue = check_item->lvalue;
307 strNcpy((char *)tmp->strvalue,
308 (char *)check_item->strvalue,
309 sizeof(tmp->strvalue));
310 tmp->length = check_item->length;
313 /* DEBUG2(" attr_filter: creating vp %s - %d - %d",
314 tmp->name, tmp->type, tmp->lvalue); */
315 pairadd(&reply_tmp, tmp);
319 reply_item = pairfind(*reply_items, check_item->attribute);
321 /* DEBUG2(" attr_filter: checking for: %s", check_item->name); */
323 if(reply_item != (VALUE_PAIR *)NULL) {
325 compare = simplepaircmp(reply_item, check_item);
327 /* DEBUG2(" attr_filter: compare = %d", compare); */
329 switch(check_item->operator) {
333 radlog(L_ERR, "Invalid operator for item %s: "
334 "reverting to '=='", check_item->name);
338 mypairmove( &reply_tmp, reply_items,
339 check_item->attribute);
345 mypairmove( &reply_tmp, reply_items,
346 check_item->attribute);
352 mypairmove( &reply_tmp, reply_items,
353 check_item->attribute);
359 mypairmove( &reply_tmp, reply_items,
360 check_item->attribute);
366 mypairmove( &reply_tmp, reply_items,
367 check_item->attribute);
373 mypairmove( &reply_tmp, reply_items,
374 check_item->attribute);
379 regcomp(®, (char *)check_item->strvalue, 0);
380 compare = regexec(®, (char *)reply_item->strvalue,
384 mypairmove( &reply_tmp, reply_items,
385 check_item->attribute);
390 regcomp(®, (char *)check_item->strvalue, 0);
391 compare = regexec(®, (char *)reply_item->strvalue,
395 mypairmove( &reply_tmp, reply_items,
396 check_item->attribute);
408 pairfree(&request->reply->vps);
409 request->reply->vps = reply_tmp;
412 * See if we succeeded. If we didn't find the realm,
413 * then exit from the module.
416 return RLM_MODULE_OK;
419 * Remove server internal parameters.
421 pairdelete(reply_items, PW_FALL_THROUGH);
423 return RLM_MODULE_UPDATED;
429 static int attr_filter_detach(void *instance)
431 struct attr_filter_instance *inst = instance;
432 pairlist_free(&inst->attrs);
433 free(inst->attrsfile);
439 /* globally exported name */
440 module_t rlm_attr_filter = {
442 0, /* type: reserved */
443 NULL, /* initialization */
444 attr_filter_instantiate, /* instantiation */
445 attr_filter_authorize, /* authorization */
446 NULL, /* authentication */
447 NULL, /* preaccounting */
448 NULL, /* accounting */
449 NULL, /* checksimul */
450 attr_filter_detach, /* detach */